#!/bin/bash
#
# 更新 Varnish CDN 的 SSL 证书
# 作者: 知汛项目组
# 最后更新: 2024-11-07

# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

# 默认配置
DOMAIN="ws.waterism.tech"
CERT_DIR="/etc/hitch/certs"
RESTART_SERVICE=false

# 显示帮助信息
show_help() {
    cat << EOF
用法: $0 [选项]

更新 Varnish CDN 的 SSL 证书

选项:
    --domain DOMAIN    域名（默认: ws.waterism.tech）
    --restart          更新后重启服务
    --help            显示此帮助信息

示例:
    # 更新证书
    sudo bash $0

    # 更新证书并重启服务
    sudo bash $0 --restart

    # 指定域名
    sudo bash $0 --domain ws.waterism.tech --restart
EOF
}

# 解析参数
while [[ $# -gt 0 ]]; do
    case $1 in
        --domain)
            DOMAIN="$2"
            shift 2
            ;;
        --restart)
            RESTART_SERVICE=true
            shift
            ;;
        --help)
            show_help
            exit 0
            ;;
        *)
            echo -e "${RED}未知参数: $1${NC}"
            show_help
            exit 1
            ;;
    esac
done

# 检查root权限
if [ "$EUID" -ne 0 ]; then
    echo -e "${RED}请使用root权限运行此脚本: sudo $0${NC}"
    exit 1
fi

echo "======================================"
echo "更新 Varnish CDN SSL 证书"
echo "======================================"
echo "域名: $DOMAIN"
echo ""

# 检查证书源文件
echo -e "${YELLOW}[1/4] 检查证书文件...${NC}"
if [ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
    echo -e "${RED}✗ 证书文件不存在: /etc/letsencrypt/live/$DOMAIN/fullchain.pem${NC}"
    exit 1
fi

if [ ! -f "/etc/letsencrypt/live/$DOMAIN/privkey.pem" ]; then
    echo -e "${RED}✗ 私钥文件不存在: /etc/letsencrypt/live/$DOMAIN/privkey.pem${NC}"
    exit 1
fi

echo -e "${GREEN}✓ 证书文件存在${NC}"

# 备份旧证书
echo -e "${YELLOW}[2/4] 备份旧证书...${NC}"
if [ -f "$CERT_DIR/cdn.pem" ]; then
    cp "$CERT_DIR/cdn.pem" "$CERT_DIR/cdn.pem.backup.$(date +%Y%m%d_%H%M%S)"
    echo -e "${GREEN}✓ 旧证书已备份${NC}"
else
    echo -e "${YELLOW}  没有旧证书，跳过备份${NC}"
fi

# 生成新证书
echo -e "${YELLOW}[3/4] 生成新证书...${NC}"
mkdir -p "$CERT_DIR"

cat "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" \
    "/etc/letsencrypt/live/$DOMAIN/privkey.pem" \
    > "$CERT_DIR/cdn.pem"

# 设置权限
chmod 600 "$CERT_DIR/cdn.pem"
chown hitch:hitch "$CERT_DIR/cdn.pem" 2>/dev/null || \
  chown root:root "$CERT_DIR/cdn.pem"

echo -e "${GREEN}✓ 新证书已生成${NC}"

# 验证证书
echo -e "${YELLOW}[4/4] 验证证书...${NC}"
if openssl x509 -in "$CERT_DIR/cdn.pem" -text -noout > /dev/null 2>&1; then
    echo -e "${GREEN}✓ 证书格式正确${NC}"
    
    # 显示证书信息
    echo ""
    echo "证书信息:"
    openssl x509 -in "$CERT_DIR/cdn.pem" -noout -subject -dates
else
    echo -e "${RED}✗ 证书格式错误${NC}"
    exit 1
fi

# 重启服务
if [ "$RESTART_SERVICE" = true ]; then
    echo ""
    echo -e "${YELLOW}重启 Hitch 服务...${NC}"
    
    if systemctl list-units --full -all | grep -q "hitch-cdn.service"; then
        systemctl reload hitch-cdn
        echo -e "${GREEN}✓ Hitch 服务已重载${NC}"
    elif systemctl list-units --full -all | grep -q "hitch.service"; then
        systemctl reload hitch
        echo -e "${GREEN}✓ Hitch 服务已重载${NC}"
    else
        echo -e "${YELLOW}  未找到 Hitch 服务，请手动重启${NC}"
    fi
fi

echo ""
echo -e "${GREEN}✓ 证书更新完成${NC}"
echo ""
echo "测试 HTTPS 连接:"
echo "  curl -I https://$DOMAIN:6443/"

